Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1916

Azure - Remove not required permissions from the Nodes

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 67% To Do, 33% In Progress, 0% Done
    • S
    • 0

      Feature Overview (aka. Goal Summary)  

      Once CCM was moved out-of-tree for Azure the 'azurerm_user_assigned_identity' resource the Installer creates is not required anymore. To make sure the Installer only creates the minimum permissions required to deploy OpenShift on Azure this resource created at install time needs to be removed

      Goals (aka. expected user outcomes)

      The installer doesn't create the 'azurerm_user_assigned_identity' resource anymore that is no longer required for the Nodes
      **

      Requirements (aka. Acceptance Criteria)

      The Installer only creates the minimum permissions required to deploy OpenShift on Azure

       

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster)  
      Hosted control planes  
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Background

      Once CCM was moved out-of-tree this permission is not required anymore. We are implementing this change into 4.19 and backported to 4.18.z

      At the same time, for customers running previous OpenShift releases, we will test upgrades between EUS releases (4.14.z - 4.16.z - 4.18.z) when `azurerm_user_assigned_identity` resource is removed previously to ensure the upgrade process is working with no issues and OpenShift is not reporting any issues because of this change

      Customer Considerations

      A KCS will be created for customers running previous OpenShift releases who want to remove this resource

      Documentation Considerations

      The new permissions requirements will be documented

              mak.redhat.com Marcos Entenza Garcia
              mak.redhat.com Marcos Entenza Garcia
              Scott Dodson
              Yunfei Jiang Yunfei Jiang
              Stephanie Stout Stephanie Stout
              Patrick Dillon Patrick Dillon
              Marcos Entenza Garcia Marcos Entenza Garcia
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: